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EXAMINER'S ANSWER 



This is in response to the appeal brief filed 5/10/10 appealing from the Office action 
mailed 12/8/09. 
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(1) Real Party in Interest 

The examiner has no comment on the statement, or lack of statement, identifying 
by name the real party in interest in the brief. 

(2) Related Appeals and Interferences 

The examiner is not aware of any related appeals, interferences, or judicial 
proceedings which will directly affect or be directly affected by or have a bearing on the 
Board's decision in the pending appeal. 

(3) Status of Claims 

The following is a list of claims that are rejected and pending in the application: 

Claims 41, 47, 48, 50, and 53-58 are rejected under 35 U.S.C. 102(e) as being 
anticipated by USP Application Publication 2003/0172109, to Dalton et al., hereinafter 
Dalton. 

(4) Status of Amendments After Final 

The examiner has no comment on the appellant's statement of the status of 
amendments after final rejection contained in the brief. 
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(5) Summary of Claimed Subject Matter 

The examiner has no comment on the summary of claimed subject matter 
contained in the brief. 

(6) Grounds of Rejection to be Reviewed on Appeal 

The examiner has no comment on the appellant's statement of the grounds of 
rejection to be reviewed on appeal. Every ground of rejection set forth in the Office 
action from which the appeal is taken (as modified by any advisory actions) is being 
maintained by the examiner except for the grounds of rejection (if any) listed under the 
subheading "WITHDRAWN REJECTIONS." New grounds of rejection (if any) are 
provided under the subheading "NEW GROUNDS OF REJECTION." 

(7) Claims Appendix 

The examiner has no comment on the copy of the appealed claims contained in 
the Appendix to the appellant's brief. 



(8) Evidence Relied Upon 

USP Application Publication 2003/0172109 Daltonetal. 11-2003 
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(9) Grounds of Rejection 

The following ground(s) of rejection are applicable to the appealed claims: 

Claims 41, 47, 48, 50, and 53-58 are rejected under 35 U.S.C. 102(e) as being 
anticipated by USP Application Publication 2003/0172109, to Dalton et al., 
hereinafter Dalton. 

As per claim 41 , Dalton teaches a computer readable medium comprising a set 
of one or more instructions which, when executed by one or more processors, cause 
the one or more processors to perform the method of: 

in an operating system environment controlled by a single operating system 
kernel instance (0022), establishing a global zone [operating system as a whole] 
comprising a first non-global zone [compartments; 0021], wherein the first non-global 
zone comprises a first file system [main file system; 0025] and wherein the global zone 
comprises a second file system [restricted file system; 0023]; 

receiving, from a first process, a first request to perform a first operation [0061], 
wherein the first process is associated with a first set of privileges [tags or labels] and is 
executed by at least one of the one or more processors, and wherein the first set of 
privileges restrict the first process to the first non-global zone [not permitted to change 
to the root of the file system; 0061]; 
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in response to the first request, determining whether performing the first 
operation is within the first set of privileges (0061 ); and 

denying the first request if performing the first operation is not within the first set 
of privileges (0063). 

As per claim 54, Dalton teaches a system comprising: 

at least .one processor (computers inherently possess processors); 

a computer readable medium, comprising a set of instructions which, when 

executed by the at least one processor, cause the at least one processor to perform the 

method of: 

in an operating system environment controlled by a single operating system 
kernel instance (0022), establishing a global zone [operating system as a whole] 
comprising a first non-global zone [compartments; 0021], wherein the first non-global 
zone comprises a first file system [main file system; 0025] and wherein the global zone 
comprises a second file system [restricted file system; 0023]; 

receiving, from a first process, a first request to perform a first operation [0061], 
wherein the first process is associated with a first set of privileges [tags or labels] and is 
executed by at least one of the one or more processors, and wherein the first set of 
privileges restrict the first process to the first non-global zone [not permitted to change 
to the root of the file system; 0061]; 

in response to the first request, determining whether performing the first 
operation is within the first set of privileges (0061 ); and 
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denying the first request if performing the first operation is not within the first set 
of privileges (0063). 

As per claims 47 and 55, Dalton teaches performing the first operation comprises 
accessing an object, the method further comprising: determining whether the first 
process has permission to access the object [preventing transitioning to root and 
restricting a process to only those objects in its compartment; 0025]. 

As per claims 48 and 56, Dalton teaches the first operation includes one of: 
mounting/unmounting a file system, overriding file system permissions, binding to a 
privileged network port, and controlling other processes with different user identifiers 
[0043; binding to a privileged network port]. 

As per claims 50 and 57, Dalton teaches receiving, from a second process 
associated with a second set of privileges [its own specific labels or tags], a second 
request to perform a second operation (0061), wherein the second process is executing 
in the global zone, and wherein the second process is executed by at least one of the 
one or more processors (0061 ); 

in response to the second request, determining whether performing the second 
operation is within the second set of privileges (0061); and 

denying the second request if performing the second operation is not within the 
second set of privileges (0063). This request would be executed if the application has 
the label or tags to permit it to transition to the root of the file system, thus out of one of 
the compartments [non-global zone]. 
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As per claims 53 and 58, Dalton teaches the second operation includes one of: 
modifying all process privileges, writing to system administration file, opening device 
holding kernel memory, modifying operating system code, accessing file systems 
restricted to root user, setting the system clock, changing scheduling priority of an 
executing process, reserving resources for an application, directly accessing a network 
layer and loading kernel modules [0061-0063; application is preventing from gaining 
admin level privileges]. 

(10) Response to Argument 

Response to 1 . 

With respect to Appellant's argument in section 1 . of the Appeal brief, the 
Examiner respectfully disagrees and refers Appellant to the rejection above as well as 
the detailed discussion set forth below. 

Response to 1a. 

With respect to Appellant's argument in section 1a. of the Appeal Brief, the 
Examiner agrees that the plain and ordinary meaning should be afforded to the claim 
language. In this particular instance, the meaning given to file system has been 
commensurate with an I/O interface structure that provides access to directories. 
Dalton clearly teaches a file system in which access to directories is provided (0025). 
Processes are able to access files within their respective file systems (0097) and it is 
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noted that each compartment has its own particular file system (0025). 
Response to 1b. 

With respect to Appellant's argument in section 1b. of the Appeal Brief, the 
Examiner respectfully disagrees that Dalton fails to identity a first and second file 
system. There is a need to look beyond merely the word used to name elements in 
Dalton and rather look into the actual function of the elements themselves in order to 
gain a true understanding into the actual application of Dalton. On the surface the "OS 
environment" and "compartments" in Dalton are not named "global region" and "non- 
global region" respectively, however, upon closer inspection it can be seen that Dalton's 
"OS environment" and "compartments" provide equivalent functionality as the "global 
region" and "non-global region" with respect to file systems. Dalton teaches the OS 
environment has its main file system (0025) which corresponds to the claim's second 
file system because it is the name associated with the file system of the global zone. 
Likewise, the claim's first file system is analogous to the non-overlapping restricted 
subset sections of Dalton (0025). Each isolated compartment has its very own file 
system, instantiated by a local directory. Under Appellant's own definition of a file 
system, Dalton's system is clearly providing an I/O interface that provides access to 
directories for each compartment, separate from the main file system. Processes in 
each compartment only have access to those directories in their respective 
compartment's file system. 
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Turning to Appellant's specification for more evidence, beginning in paragraph 
[0052], Appellant describes a mounted file system in which zones act like directory 
boundaries for processes within those zones. Dalton's file systems are precisely 
described in the same fashion (0097). In fact, both Dalton and Appellant teach that their 
file systems within the zones have their own root. In both inventions, the operation 
chroot only transitions to the root of the zone as opposed to the main system's root. 
This contains processes to their respective zone/compartment and resources. Dalton's 
specifically teaches a file structure hierarchy that defines compartments (Fig. 1 1 ). 
Appellant's alleges this is somehow different to the claims even though their own 
invention uses the same hierarchy. Appellant's Fig. 2C and accompanying disclosure in 
paragraph (0055), precisely define a global zone file system (290) having a subdirectory 
291 to which file system 290(a) of non-global zone A, 140(a), is mounted. In both 
inventions a second file system is defined and implemented as part of subsection of the 
main system. 

In response to applicant's argument that the references fail to show certain 
features of applicant's invention, it is noted that the features upon which applicant relies 
(i.e., two separate I/O interfaces) are not recited in the rejected claim(s). Although the 
claims are interpreted in light of the specification, limitations from the specification are 
not read into the claims. See In re Van Geuns, 988 F.2d 1 181 , 26 USPQ2d 1057 (Fed. 
Cir. 1993). The argument seems to imply that there are a plurality of physical I/O 
interfaces in the instant invention, but the specification does not support this. 
Paragraph [0058] discloses that the file systems 180(a) and 180(b) are mapped to a 
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single physical storage. Assuming the physical storage has one physical interface, 
each of the "virtual" zones would each use the same physical interface. 

Response to 2. 

With respect to Appellant's argument in section 2. of the Appeal brief, the 
Examiner respectfully disagrees and refers Appellant to the rejection and discussion 
above as well as the detailed discussion set forth below. 

Response to 2a. 

With respect to Appellant's argument in section 2a. of the Appeal brief, the 
Appellant argues the global zone and non-global zone are not properly constructed in 
Dalton. Examiner respectfully disagrees. As previously explained, there is a need to 
look beyond merely the word used to name elements in Dalton and rather look into the 
actual function of the elements themselves in order to gain a true understanding into the 
actual application of Dalton. On the surface the "OS environment" and "compartments" 
in Dalton are not named "global region" and "non-global region" respectively, however, 
upon closer inspection it can be seen that Dalton's "OS environment" and 
"compartments" provide equivalent functionality as the "global region" and "non-global 
region". Appellant states that their global zone refers to the general operation system 
environment. Dalton teachings concur with this assessment. Dalton's OS environment 
performs this same functionality (0022). The term "non-global zone" as defined by 
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Appellant's specification states that the non-global zone represents separate and 
distinct partitions of the OS environment. Dalton's compartments are used for the exact 
same purpose (0023). As such, Examiner finds no difference between the claim's 
"global region" and "non-global region" and Dalton's "OS environment" and 
"compartments". 

Response to 2b. 

With respect to Appellant's argument in section 2b. of the Appeal brief, the 
Appellant argues the global zone, non-global zone, and file systems are not properly 
arranged in Dalton. Examiner respectfully disagrees. Appellant's position is that there 
is only one file system in Dalton and by that view, the non-global zone cannot have a 
distinct file system. Appellant further defends this position by arguing the file system in 
each of Dalton's compartments is only a subset of the host file system. By this line of 
reasoning, Appellant's own invention would fail to have a separate file system in each 
the zone. Fig. 2C clearly shows the file system 290(a) of non-global zone A 140(a) is a 
mounted subset of the main file system 290. Moreover, the claim's first file system, 
originating in the non-global zone is merely a subset of the second file system which 
originates in the global zone. Examiner finds the Appellant's zones to be equivalent to 
the Dalton's compartments and each has their own file system. Consequently, the 
same arrangement of the claim's global zone, non-global zone, and file systems is 
taught by Dalton. 
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(11) Related Proceeding(s) Appendix 

No decision rendered by a court or the Board is identified by the examiner in the 
Related Appeals and Interferences section of this examiner's answer. 

For the above reasons, it is believed that the rejections should be sustained. 
Respectfully submitted, 

/MICHAEL RVAUGHAN/ 
Examiner, Art Unit 2431 

Conferees: 

/William R. Korzuch/ 

Supervisory Patent Examiner, Art Unit 2431 

/Christopher A. Revak/ 
Primary Examiner, Art Unit 2431 



